Then there was the Sony Hack, possibly the biggest in history, which showed just how much damage can be inflicted on an organization by the compromise of just 1 privileged access account

The impact of the compromise of a privileged access account with unrestricted access is clear & most organizations are taking measures to minimize & adequately protect all such accounts.

However, the impact of the compromise of a privileged access account with restricted access may not be as clear, and consequently many such accounts may today be vulnerable to compromise.

I. Impact of Compromise of a Privileged Access Account with Unrestricted Access

Should a malicious perpetrator be able to compromise an account or group that has unrestricted privileged access in your network, suffice it to say that he/she could own your entire network.

Furthermore, depending on the perpetrator's level of expertise, he/she could also instantly prevent your entire admin staff from logging on, and automate the destruction of your entire network.

It is imperative to understand that because the administrator of a system is by definition an integral part of the system's Trusted Computing Base (TCB). he/she can always turn off, disable, bypass or circumvent any additional security measure that might be put in place to prevent him/her from accessing a resource on the network. The administrator of a system can never be prevented from obtaining access to any and every IT resource in the system.

Consequently, any Active Directory administrator can always obtain access to any IT resource stored on and protected on any domain joined machine across the domain. Period.

Unlike Domain Admins, who possess unrestricted privileged access, IT personnel to whom such tasks are delegated have restricted administrative/privileged access usually within Active Directory.

These individuals are commonly referred to as delegated administrators and in contrast to unrestricted privileged access accounts, their user accounts have restricted privileged access.

Because these restrictive access privileged accounts usually have the ability to manage user accounts, computer accounts, security groups & OUs, their compromise can be easily used to gain access to a large number of organizational IT resources across the network, the extent of which depends on the amount of administrative access delegated to the compromised account.

In fact, in most organizations, no one seems to know exactly who is delegated what administrative access, and many of these accounts, unbeknownst to them or to the IT groups, often have sufficient privileges to be able to actually manage accounts that have unrestricted administrative access, thus making them lucrative targets (low-hanging fruit) for malicious perpetrators.

For instance, in a poorly implemented delegation structure, a delegated administrator may (unbeknownst to him or anyone else) actually have the ability to reset the password of another delegated administrator, who in turn has the ability to reset the password of a Domain Admin account, in effect creating a privilege escalation path. For example, consider a situation wherein John Doe a delegated administrator has the Reset Password extended right granted to him on Jane Doe's account, and Jane Doe in turn has the Reset Password extended right granted to her on a Domain Admin's account, consequently giving John Doe the ability to elevate his privilege to that of a Domain Admin within seconds.

For illustrative purposes, below, we consider the impact of compromise of a restricted (delegated) access administrative account that only has sufficient access to enact the following tasks –

Create a domain user account

Reset a domain user account's password

Modify the membership of a domain security group

Delete a domain security group

Modify the userAccountControl attribute on a computer's account object

II. Impact of Compromise of a Privileged Access Account with Restricted Access

Malicious perpetrators can also very quickly gain substantial power by compromising delegated administrative accounts that only have restricted access granted to them in Active Directory. The following examples illustrate the impact of compromise of delegated administrative accounts that only possess sufficient access to enact specific administrative tasks in Active Directory –

1. Impact of compromise of an administrative (privileged access) account that can create domain user accounts

Should a malicious perpetrator be able to compromise an administrative account that has sufficient effective permissions to be able to create domain user accounts, he/she will be able to create a user account that can be used to engage in malicious activity that cannot be traced back to the perpetrator. In effect it would allow him/her to repudiate any and all unauthorized access.

The ability to create a domain user account would also enable the malicious perpetrator to obtain access to all IT resources across the network to which Authenticated Users is granted access.

2. Impact of compromise of an administrative (privileged access) account that can reset a domain user account's password

Should a malicious perpetrator be able to compromise an administrative account that has sufficient effective permissions to be able to reset a domain user account's password, he/she will be able to instantly take over that account. If that account happens to be more privileged than the perpetrator's account, then in effect the perpetrator would also have escalated his/her privilege.

The ability to reset the password of an unrestricted administrative access account holder would enable the malicious perpetrator to instantly obtain access to all IT resources on the network.

3. Impact of compromise of an administrative (privileged access) account that can modify the membership of a domain security group

Should a malicious perpetrator be able to compromise an administrative account that has sufficient effective permissions to be able to modify the membership of a domain security group, he/she will be able to grant anyone including one's self, access to all IT resources on the network to which that group currently has access, as well as prevent others from accessing these IT resources.

The ability to modify the membership of an unrestricted administrative access group would also enable the malicious perpetrator to instantly obtain access to all IT resources on the network.

4. Impact of compromise of an administrative (privileged access) account that can delete a domain security group

Should a malicious perpetrator be able to compromise an administrative account that has sufficient effective permissions to be able to delete a domain security group, he/she will be able to deny all members of that group access to all IT resources on the network to which that group currently has access, in effect launching a denial-of-service (DoS) attack of sorts on these IT resources.

More importantly, if the group was being used to deny access to IT resources, the deletion of the group would expose these IT resources to risk as the deny permissions would no longer apply.

5. Impact of compromise of an administrative (privileged access) account that can modify the userAccountControl attribute on a computer account's object

Should a malicious perpetrator be able to compromise an administrative account that has sufficient effective permissions to be able to modify the userAccountControl attribute on a computer account object, he/she will be able to set the Trusted for Unconstrained Delegation setting on that computer account. Should the perpetrator also have administrative access over the computer, then he/she could launch a service on that computer, that could impersonate any client* that the perpetrator could lure to use the service, across the network.

More importantly, if the malicious perpetrator could lure a user who has administrative access to use such a service, he/she could in effect escalate his/her privilege to that of an administrator.

6. Impact of compromise of an administrative (privileged access) account that can modify the security permissions protecting an Organizational Unit

Should a malicious perpetrator be able to compromise an administrative account that has sufficient effective permissions to be able to modify the security permissions protecting an organizational unit, he/she will be able to use inheritable permissions to completely control every IT resource stored in that OU, including all domain user and computer accounts, security groups and any OUs.

The only exception to the above is that all objects whose security descriptors are marked Protected will not be impacted by inheritable permissions, and thus be protected from such changes.

7. Impact of compromise of an administrative (privileged access) account that can link a Group Policy Object (GPO) to an Organizational Unit

Should a malicious perpetrator be able to compromise an administrative account that has sufficient effective permissions to be able to link a GPO to an organizational unit (OU), he/she will be able to link another GPO to the OU, the result of which is that it could potentially weaken the resulting security and other settings on the computers whose computer accounts reside in that OU.

If the malicious perpetrator also has the ability to create GPOs and/or modify the settings of an existing GPO, he/she could also grant or deny any user or group of his/her choice administrative access on all computers whose accounts reside in that OU. In light of this, should he/she be able to link a GPO to a high-level OU, he/she could grant any user or group of choice unrestricted power across the network.

8. Impact of compromise of an administrative (privileged access) account that can disable the Smart card is required for interactive logon option on domain user accounts

Should a malicious perpetrator be able to compromise an administrative account that has sufficient effective permissions to be able to disable the Smart card is required for interactive logon option on domain user accounts, he/she will be able to disable the use of a Smartcard on that account, in effect downgrading the security on that domain user account to password-based security.

Once the security of an account that originally required a Smartcard for authentication is downgraded to being password based, the account would be susceptible to all password related attacks.

9. Impact of compromise of an administrative (privileged access) account that can modify the keywords of a service connection point

Should a malicious perpetrator be able to compromise an administrative account that has sufficient effective permissions to be able to modify the keywords of a service connection point that is published in Active Directory, he/she will, in effect, be able to in effect launch a denial of service attack on the service that relies on or utilizes that service connection point.

The ability to launch a denial-of-sevice (DoS) attack on an internal service could potentially have serious security and operational ramifications, depending on the nature of that service.

10. Impact of compromise of an administrative (privileged access) account that can modify the security permissions on the AdminSDHolder object

Should a malicious perpetrator be able to compromise an administrative account that has sufficient effective permissions to be able to modify the security permissions on the AdminSDHolder object, he/she will be able to control the security protecting every administrative account/group in Active Directory, in effect being able to obtain system-wide unrestricted administrative access.

The ability to modify the security permissions on the AdminSDHolder object is one of the quickest ways for a malicious perpetrator to own and control all Active Directory administrative accounts and groups, and by extension own and control the entire network.

In order to adequately protect the entirety of their IT resources, it is imperative that organizations ensure that both unrestricted and restricted (delegated) administrative (privileged) access provisioned in their Active Directory deployments adheres to the principle of least privilege at all times, because the compromise of a single privileged access account can result in the compromise of the entire network. Organizations can assess the true (real) state of restricted access delegated in their Active Directory today by performing an Effective Privileged Access Audit.